Merge pull request #88 from zooley/security-fix-link-target-blank

[fix] Close vulnerability by adding `rel="noopener"`
OSC · Oct 25, 2019 · 21decc6 · 21decc6
2 parents 007d39f + a8da214
commit 21decc6
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 34 deletions.
diff --git a/apps/dashboard/app/models/product_readme_markdown_renderer.rb b/apps/dashboard/app/models/product_readme_markdown_renderer.rb
@@ -28,7 +28,7 @@ def initialize(opts={})
   # open link in new window
   def link(link, title, content)
     link = OodAppkit.files.api(path: @app_path.to_s + '/' + link).to_s if @app_path && relative?(link)
-    return "<a href=\"#{link}\" target=\"_blank\">#{content}</a>" unless id_link?(link)
+    return "<a href=\"#{link}\" rel=\"noopener\" target=\"_blank\">#{content}</a>" unless id_link?(link)
     return "<a href=\"#{link}\">#{content}</a>"
   end
 

diff --git a/apps/dashboard/app/views/batch_connect/sessions/connections/_native_vnc.html.erb b/apps/dashboard/app/views/batch_connect/sessions/connections/_native_vnc.html.erb
@@ -3,7 +3,7 @@
   <ol>
     <li>
       Download the latest
-      <a href="https://github.com/OSC/osc-connect/releases/latest" target="_blank">OSC Connect</a>
+      <a href="https://github.com/OSC/osc-connect/releases/latest" rel="noopener" target="_blank">OSC Connect</a>
       if you don't already have it
     </li>
     <li>
@@ -15,7 +15,7 @@
   </ol>
 
   <p>
-    <a href="https://www.osc.edu/resources/getting_started/howto/howto_connect_to_osc_services_using_osc_connect" target="_blank">Troubleshoot OSC Connect issues</a>
+    <a href="https://www.osc.edu/resources/getting_started/howto/howto_connect_to_osc_services_using_osc_connect" rel="noopener" target="_blank">Troubleshoot OSC Connect issues</a>
   </p>
 
 <% elsif browser.platform == :mac || browser.platform == :linux %>

diff --git a/apps/dashboard/app/views/products/_form_git.html.erb b/apps/dashboard/app/views/products/_form_git.html.erb
@@ -1,5 +1,5 @@
 <div class="field">
-  <%= f.text_field :git_remote, help: "Example: <strong>git@github.com:Example/example.git</strong> (<a href='https://help.github.com/articles/generating-an-ssh-key/' target='_blank'>requires SSH key installed</a>) or <strong>https://github.com/Example/example.git</strong>".html_safe %>
+  <%= f.text_field :git_remote, help: "Example: <strong>git@github.com:Example/example.git</strong> (<a href='https://help.github.com/articles/generating-an-ssh-key/' rel='noopener' target='_blank'>requires SSH key installed</a>) or <strong>https://github.com/Example/example.git</strong>".html_safe %>
   <%= content_tag :pre, product.errors[:git_remote_error].first.html_safe, class: "text-danger" if product.errors[:git_remote_error].any? %>
 </div>
 <div class="alert alert-<%= ssh_key ? "success" : "danger" %> clearfix alert-ssh-key">

diff --git a/apps/dashboard/app/views/products/_form_manifest.html.erb b/apps/dashboard/app/views/products/_form_manifest.html.erb
@@ -7,7 +7,7 @@
       <%= f.text_field :title, :label=>"Name", placeholder: "My OnDemand App" %>
     </div>
     <div class="field">
-      <%= f.text_area :description, placeholder: "Description should go here.\n\nFormat using **markdown**.", help: "Format using <a href='https://guides.github.com/features/mastering-markdown/' target='_blank'>markdown</a>".html_safe, rows: 10 %>
+      <%= f.text_area :description, placeholder: "Description should go here.\n\nFormat using **markdown**.", help: "Format using <a href='https://guides.github.com/features/mastering-markdown/' rel='noopener' target='_blank'>markdown</a>".html_safe, rows: 10 %>
     </div>
   </div>
 </div>